Chipotle’s human resources emails made job applicants phishing bait

Mexican food. Image courtesy of Shutterstock.

Applying for jobs can be painful, but at least your interactions with “human resources” don’t put you at risk of anything worse than dashed hopes.

Actually, that’s not the case for those applying for a role at Chipotle. Until recently, the giant Mexican fast food restaurant chain was putting its job applicants at risk of identity theft and phishing attacks.

That’s because Chipotle was sending emails to new job applicants from an email address using a domain – – it didn’t own.

The domain wasn’t owned by anyone, in fact, until an unemployed IT worker applied for a job at Chipotle and found out the domain wasn’t registered, and bought it for $30.

The IT worker, Michael Kohlman, tipped off security blogger Brian Krebs, who went to work and did what he does so well – exposing just how badly a major company has bungled security.

Once Kohlman owned the domain, he started receiving all emails people sent to, which could have been disastrous if a cybercrook had got to the domain first.

If he’d wanted to, Kohlman could have stolen personal information from those job applicants such as their names, email addresses, phone numbers, and so on.

Or he could have used the email to go phishing for more information from the applicants, perhaps by asking them for Social Security numbers or bank information for supposed “background checks.”

There are many ways the domain could have been abused in the wrong hands, as Kohlman told Krebs:

In nutshell, everything that goes in email to this HR system could be grabbed, so the potential for someone to abuse this is huge.

This wasn’t a goof where Chipotle forgot to renew the domain registration – a screw-up that even big companies like Google and Microsoft aren’t immune to.

Chipotle had never owned the domain – it was just using the email address for emails that it told job applicants not to reply to.

But many people did reply to those emails, or emailed an address on the domain in hopes of finding someone at Chipotle HR.

Kohlman said he discovered the unregistered domain when he replied to the email he received after submitting an application and got an error message.

Kohlman went to Chipotle and offered to give them the domain for free, but they expressed no interest.

Now the website shows only a black screen with the message:

This is NOT the Chipotle Human Resources Page

Perhaps most concerning is the fact that Chipotle still doesn’t see how sending emails from an unregistered domain was a security no-no.

In an emailed statement, Chipotle told Krebs that the domain was “never functional,” and therefore there has “never been a security risk of any kind associated with this,” and it is “really a non-issue.”

Charitably, Kohlman said he wanted to help Chipotle and others “learn from their mistakes,” rather than causing Chipotle any “real damage.”

They didn’t get the message.

Maybe Chipotle – a $3.5 billion company that says it’s “on a mission to change the way people think about and eat fast food” – should start by hiring someone to think about security for a change.

Image of mexican food courtesy of Shutterstock.